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Abstract 

This paper describes a quantum algorithm for efficiently decomposing finite Abelian groups. 
Such a decomposition is needed in order to apply the Abelian hidden subgroup algorithm. 
Such a decomposition (assuming the Generalized Riemann Hypothesis) also leads to an efficient 
algorithm for computing class numbers (known to be at least as difficult as factoring). 

1 Introduction 

The work by Shor Q on factoring and finding discrete logarithms over Z* can be generalized to 



solve the Abelian Hidden Subgroup Problem (see for example |lCj], Q, |7|] ). These algorithms 
find the hidden subgroup of a function / : G — » S, where G = ZjVj X • • -Zjv p for some integers 
N\, N%, . . . ,Ni. Any Abelian group G is isomorphic to such a product of cyclic groups, however it 
is not always known how to find such an isomorphism efficiently. Consider for example the group 
Z*^, the multiplicative group of integers modulo N. This is an Abelian group we can compute in 
efficiently, yet no known classical algorithm can efficiently find its decomposition into a product 
of cyclic groups. Consider also the class group of a quadratic number field. This group is also 
Abelian, and finding its decomposition into a product of finite cyclic groups will give us the size of 
the group and therefore the class number of the quadratic number field. As Watrous Q points 
out, assuming the generalized Riemann Hypothesis we can apply the algorithm in this paper and 
efficiently find class numbers (a problem known to be at least as hard as factoring). 

In this paper, we show how we can make use of the solution to the Abelian Hidden Subgroup 
Problem to decompose a finite Abelian group. Such decompositions makes it possible to apply the 
Abelian Hidden Subgroup algorithm to a larger class of Abelian groups. 

2 Integer Arithmetic Basics 

A nonsingular integral matrix U is called unimodular if U is has determinant ±1. It is easy to 
check that U is unimodular if and only if U~ l is unimodular. 

The following operations on a matrix are called elementary (unimodular) column operations: 
1. exchanging two columns; 2. multiplying a column by -1; 3. adding an integral multiple of one 
column to another column. 
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We define elementary row operations similarly. 



Theorem 1 For any integral matrix A, one can find in polynomial time using elementary row 

and column operations unimodular matrices U and V such that UAV = ^ where D = 

Diag(d\, ...,dk) with positive integers such that di\d2\...\dk and for each i, the product d\...di is 

DO 



equal to the g.c.d. of the subdeterminants of A of order i. We call the matrix the Smith 

normal form (abbreviated as SNF) of A. 

Proof : See Kannan and Bachem |j. 

3 Group Theory Basics 

Recall that a group G is said to be Abelian if for all a, b £ G, a ■ b = b • a. In this paper, all groups 
are finite Abelian unless otherwise stated. G is said to be cyclic if there exists a £ G, such that 
G = {a n \n £ Z}. Here, we call a a generator of G. H C G is called a subgroup of G if H is a 
group under the operation induced by G. In this case, we write H < G. Let a £ G. The set 
aH = {g £ G\g = ah for some h £ H} is called a coset of H in G determined by a. 

Let a £ G. If a n = e for some n € N, then a is said to have finite order. The smallest such n 
is called the order of a, denoted by ord(a). It is easy to see that the elements in {e, o, a 2 , o n_1 } 
form a subgroup. We call this subgroup the the cyclic subgroup generated by a and we denote it by 
(a). 

Let G\,G2 be groups such that G\ n G2 = {e}. The set {01O2 | a\ £ G\, 02 £ G2}, denoted 
by G\ © G2, is called the direct sum of G\ and G2. Note that Gi © G2 is a group under binary 
operation • such that (ai&i)(a2&2) = (ai&i)(a2&2)- 

Let G be a group and p be a prime number. Let P < G. Then P is called a Sylow p-subgroup 
of G if |P| = p a for some a £ N such that p° divides |G| but does not. 

We first quote a few classical results without proof. The interested reader can refer to a standard 
text on group theory. 

Theorem 2 If N is a subgroup of an Abelian group G, then the set of cosets of N forms a group 
under the coset multiplication given by 

aNbN = abN 
for all a,b £ G. The group is denoted by G/N. 



Theorem 3 Let N be a subgroup of a finite Abelian group G. If ax,...,aj~ generates G, then 
a\N, afeiV generates G/N. 



Theorem 4 A finite Abelian group can be expressed as a direct sum of its Sylow p- subgroups. 



Theorem 5 Let K be a subgroup of G = G Pl © • • • © G Pl where G Vi is a Sylow pi- subgroup for 
i = and pi, ...,pi are distinct primes. Then there exists K Pi < G Pi , i = I,..., I, such that 

K = K pi ffi ■ ■ ■ ffi K P i ■ 
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The next theorem is an important result on finite Abelian groups. 



Theorem 6 (Fundamental Theorem of Finite Abelian Groups). Any finite Abelian group can be 
decomposed as a direct sum of cyclic subgroups of prime power order. 

In this paper, we shall give an algorithm to find the decomposition. 
The next theorem is an integral part of the algorithm. 

Theorem 7 Given a generating set {oi, a k } of a finite Abelian group G and a matrix M such 
that a ^ 1 ■ ■ ■ af k = e if and only i/x = (xi, ...,Xk) T £ intcol(M ) where intcol(M) denotes the set of 
vectors obtainable by taking integer linear combinations of columns of M , we can find in polynomial 
time (in the size of M) g±, ...,gi with I < k such that G = {g\) © • • • © (gi). 

Proof : (Adapted from Algorithm 4.1.3 in ||.) By Theorem |], we can find in polynomial time 

'DO' 


diagonal entries di, ...,d m . Since V is unimodular, intcol(MV")=intcol(M). Thus, a* 1 ■ ■ ■ a% k = e if 

1 ' ' ' a k 



unimodular matrices U and V such that U 1 MV 



where D is a diagonal matrix with 



and only if x = (x\, Xfc) T £ intcol(M V). For each i = 1, k, set a- = o^ 1 ' • • • aV ki . Then 



I X\ t XL. 

a\ ■ ■ ■ a k = e 
^ (xi, ...,x k ) T £ intcol(J7 _1 My) 
4^ di\Xi for i = 1, m, and xi = for i = m + 1, k 

Since G is finite, we must have m = k. Otherwise, G will have an element of infinite order. Let j 
be the smallest index such that dj > 1. Set gi = a' i+ j_ 1 for i = 1, where I = m — j + 1. It is 
clear that gi, ...,gi still generate G and gi has order di + j-\ for i = 1, /. Therefore, if < Xi < 
ord(^j), then g\ Xl ■ ■ ■ gf l = e implies that x\ = for all i. Hence G = (g\) © • • • © (g{). 



4 Hidden Subgroup Problem 

Let G = Zjvj. x • • "^jv, where the Nj, j = 1, I are prime powers. We are given / : G — > 5 for 
some finite set S* that is constant on cosets of some K < G but distinct on each coset. (The case 
when distinct cosets are not mapped to distinct elements is addressed in Boneh and Lipton M and 
in the Appendix of 0. Here, we need m < \K\ where m is the maximum number of cosets that 
get mapped to the same output.) The hidden subgroup K is 

{keG\ f{x) = f{x + k) for all x G G}. 

The Hidden Subgroup Problem is to find generators for K given only / and G. 
There exist polynomial-time quantum algorithms to solve this problem. 

Corollary 8 Let a be an element of a group G. The order r of a can be found in random quantum 
polynomial time. 

Proof : Consider the function / from Z to the group G where fix) = a x . Then fix) = /(y) if and 
only if x — y E rZ. The hidden subgroup is K = rZ and a generator for K gives us the order r of 
a. 

Using Corollary ||, one can deduce the result by Shor . 

Theorem 9 Factoring can be solved in random quantum polynomial time. 

In the next section, we shall show how to use the algorithm for finding hidden subgroup to 
decompose finite Abelian groups. 
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5 Decomposing Abelian Groups 



By Theorem ^| we know that we can decompose a finite Abelian group into a direct sum of cyclic 
groups of prime power order. This problem was discussed briefly in Q. We make four assumptions 
on the group G: 

1 . We have a unique binary representation for each element of G and we can efficiently recognize 
if a binary string represents an element of G or not. 

2. Using the binary representation, for any a E G, we can efficiently construct a quantum 
network for implementing U a : \y) — > \ay). 

3. We can efficiently find a generating set for G. 

4. The orders of the generators are of prime power order. 

To meet the third assumption, it suffices to have an upper bound of 2 k on the size of the groups 
we work with for some k £ G(log |G|) and that we can efficiently sample elements of G uniformly at 
random. (If we do not have such a bound, we can easily devise a procedure that tries an increasing 
sequence of values for k and still has expected running time in 0(poly log |G|)). Let K be a proper 
subgroup of G. Then there are at least two cosets of K. If we randomly sample an element x 
from G, then with probability at least 1/2, the subgroup spanned by x and K will have size at 
least twice that of K because the elements xk for all k G K are in the span. Hence, it takes 
an expected number of at most (1/(1/2)) A; = 2k samples to obtain a generating set Q for G and 
therefore 2k + c\fk samples will find a generating set with probability in 1 — e c for some e € (0, 1) 
(by a Chernoff bound.) 

Now we may assume that the order of the elements are of a prime power. Let a be an element 
in Q with order pq where (p, q) = 1, p / 1 and q ^ 1. Note that p and q can be determined 
efficiently as a result of Corollary || and Theorem ||. By the Euclidean algorithm, we can find r, s 
such that rp + sq = 1. Thus (a p ) r (a q ) s = a. Hence, replacing a with a q and a p still leaves us with 
a generating set. We repeat this procedure until each element in Q has prime power order. 

Since we know the order pq of a, we can efficiently compute a -1 = a P9_1 and therefore efficiently 
perform the necessary uncomputation in order to satisfy the second assumption. 

By Theorem [|, we have G = G Pl © • • • © G Pl where pi is a prime for all i = 1, I and G Pi is 
a Sylow pj-subgroup of G. Let Sj be the set of all the elements in Q having order a power of the 
prime pj. For a G Sj, let K a denote the (cyclic) subgroup generated by a. By Theorem H, we have 
K a = K pi © • • • © K pi where K Pi < G Pi for all i = 1, /. Since \K a \ is a power of pj, we must 
have K a < G Pj . Thus Sj £ G Pj . Since Q generates G, Sj generates G Pj . Hence, we can first find 
the decomposition for each of the Sylow p-subgroups of G and then take their product to obtain a 
decomposition of G. 

There are two primary reasons why we want to have the fourth assumption. One reason is that 
we want to minimize the amount of quantum computing resources required in any implementation. 
It is therefore advisable to decompose the problem whenever it is possible. The second reason 
is that working with p-groups can greatly simplify the amount of algebra one needs to perform 
to recover the generators. This latter point will be elaborated at the end of the section. In the 
meantime, we present the algorithm given in || which finds generators of a group G with prime 
power order. 

Algorithm 10 Decompose-Group(ai, ...,cik) 
Input: 
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• A generating set {a±, ...,ak} of the group G. 

• The maximum order q = p r of the elements oi, a^. 
Output: 

• A set of elements g±, ...,gi, I < k, from the group G. 
Procedure: 

1. Define g : Z^ — > G by mapping (xi, — > g(x) = a^ 1 • • • ajjj fe . Find generators for the 
hidden subgroup K of Z^ as defined by the function g. 

2. Compute a set yi, ...,yi G Z^/lf of generators for iJ^/K. 

3. Output {g( yi ),...,g( yi )}. 

To see the correctness of this algorithm, observe that the hidden subgroup K is the set 
{(a?i, Xf.) | a* 1 • • • a^ k = e}. We therefore have an isomorphism between iJl/K and G. If 
yi, ...,yi are generators for Tj^/K, then {^(yi), ...,g(y\)} are generators for G. 

We now elaborate on how it is possible to find generators for TJ^jK. Observe that e\,...,ek 
generate Zjj where e, is a 0,1-vector with a 1 in the ith co-ordinate. Further, if we let M = ql 
where I is the kx k identity matrix, then x\e\ + ... + Xkek = (in Zjj) if and only if x E intcol(M). 
By Theorem |l| e\ + K, + K generate Z^/K. Note that 

wi(ei + A") + ... + v fc (e fc + K)=K 

if and only if Iv G if where I is the matrix [ex-.-e^] and v = (v±, ...,V] i ) T . Let A be the matrix the 
columns of which generate K. Note that Kv G K if and only if there exists a vector x such that 

Iv = Ax. 
45 Iv = L4x 

O I(v - Tlx) = 

45 v - Ax E intcol(M) 
O v G intcol([M|A]). 

Applying Theorem to {ej + if | i = 1, k} and M' = [M|A], we obtain yi, ...,yi E Z^/if such 
that Z^/isT = (yi) © • • • © (yj) as desired. 

Technically, we need not work with each Sylow p-subgroup of G separately. Suppose an, 
generates the group G Pi . Let qi = p\ % be the iiiaxiriiuni order of tkjij &iki- 

Define g : Z^ 1 x 

• ■ • X Z* ! ^ G by mapping (i n , , cca, xi kl ) to #(x) = ]J l i=1 off • • • a^*\ Proceed 
as before. The only differences are that we need to build a huge quantum network to solve the 
hidden subgroup problem and that in computing generators for Z^ x • • • x Th 1 /K where if is the 
hidden subgroup if defined by g, we need to work with a huge matrix when applying Theorem 
if the block structure of the matrix is not exploited. In practice, it is therefore desirable to avoid 
this approach. Furthermore, for each prime p, instead of using Z^ where q = p r is the maximum 
order of the elements aj (i.e. r = max{ti,t2, . . . ,tk} where the order of chj is p tj ), we could use 

^i-,£l X Wj^tn X ... X ^r)j- 
P 1 P Z r f k 
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